Basics of Risk Assessment - IT Audit

Million Dollar Question: What is Risk? The reason why I refer it as a million dollar question lies in

definition(s) of term ‘Risk’. The term ‘Risk’ has been defined in multiple ways and it can be

accommodated anywhere anytime and in any situation as per requirement. Inspite of having vivid

definition(s) of RISK, in practise every human being is a Risk-Pro. When I say everyone, I mean

EVERYONE irrespective of literacy level or profession.

Let us take a simple illustration. During rainy season, street vendors generally keep a plastic cover to

protect their articles. Why So? Because they know that PROBABILITY of having rain is high and it

could IMPACT their valuable articles. In corporate environment, we will complicate the same

example by saying “Articles are VULNERABLE to THREAT of rain and hence RISK RESPONSE is required in form of some CONTROL (i.e. plastic cover) to MITIGATE RISK ELEMENT.”

Wow. Now our dear vendor also knows that it is not worth spending Rs. 100/- to purchase a plastic cover to protect his articles costing Rs. 50/-. In our terms: “COST of CONTROL should not exceed COST of RISK”. Now I doubt whether street vendors have ever heard about these terminologies in their life, but pretty much sure that they actually understand RISK and RISK TREATMENT in their daily activities.

Again. What is risk? Let us look into some of the widely accepted definition of risk.

ISO 27005: The potential that a given threat will exploit vulnerabilities of an asset of group of
assets and thereby cause harm to the organisation.

ISO/IEC 73: Risk is the combination of the probability of an event and its consequences.

Dictionary Meaning: a situation involving exposure to danger.

ISO 31000: Risk is the “effect of uncertainty on objectives”

Business Dictionary: A probability or threat of damage, injury, liability, loss, or any other negative
occurrence that is caused by external or internal vulnerabilities, and that may be avoided through
preventive action.

Oxford Dictionary: The probability of something happening multiplied by the resulting cost or benefit if it does.

If you observe, almost every definition speaks directly or indirectly about two terms:
PROBABILITY & IMPACT.

In simplest form, RISK is a product of PROBABILITY and IMPACT.

RISK=PROBABILITY*IMPACT

i.e. RISK=P*I

Both the terms are equally important while determining risk. Let us continue with same plastic
cover example. Probability of raining is very high, let say 1, however articles are water-proof and hence impact is Nil i.e. zero even if it rains heavily.

So risk of rain on articles will be:

RISK=P*I

i.e. RISK=1*0 =0

Please note in real life scenario, quantifying RISK is not an easy task. Probability of arriving at

ACCURATE PROBABILITY is itself questionable in certain scenario. Okay, I know that ACCURATE and PROBABILITY are incompatible with each other (:-

Another approach to understand the risk is to understand the concept of VULNERABILITY and

THREAT. Again there should be presence of both the elements (i.e. V*T) to constitute a risk. A fort without guards is vulnerable to outside attack. However luckily now a days no one is interested to capture a ruined fort and hence threat is nil. Hence risk of attack is nil inspite of high

vulnerability as there is absence threat.

 Prime objective of any risk assessment exercise is to identify the risk, understand the risk, quantity the risk (though not possible always) and to threat the risk.

Okay. We do all this exercise. Why? Yes. To protect our precious ASSET. So very first step of risk assessment exercise is to identify the ASSET which we want to protect. This is essence of whole exercise. Why waste time and money on something that is not critical. It must be noted that

usefulness of asset is not always defined by its financial value but other attributes also to be

accounted for. For example, Data Leakage Prevention Policy (DLPP) aims to protect DATA whose

value can be negligible in absence of privacy laws. DATA is considered valuable because of

relevant regulations. Assets can be tangible or intangible. Many organisations consider their

‘REPUTATION’ as supreme asset.

Following is structured process to carry out risk assessment  exercise:
(a) Identify the assets.

(b) Identify vulnerabilities/threats

(c) Perform impact analysis. Define risk indicator. Remember, R = P*I. It can be quantified or
qualified (High/Medium/Low).

(d) Apply controls through appropriate risk treatment.

(e) Still some vulnerabilities present? Yes. If this acceptable? No. Then apply some more

controls. But always ensure COST of CONTROL not to exceed COST of RISK. I would never pay

one hundred and fifty crore rupees for insurance premium to protect my bungalow worth

Rs. One hundred crore. (No. I don’t have 100 crore bungalow. But hope you got the point)

(f) Okay, now risk is acceptable? Yes. Then live happily with it. Let them reside with us. It is
known as RESIDUAL risk.

Risk assessment is iterative exercise. Above cycle to be repeated at regular interval to address
new vulnerabilities. Continual risk assessment (CRA) is also critical to ensure that existing control
are effective.
Let us understand how above steps are performed to address IT Risks in an organisation:

Identification of Assets:

ISACA’s RISK IT framework defines IT risk as follow:

IT risk is business risk – specifically, the business risk associated with the use, ownership,
operation, involvement, influence and adoption of IT within an Enterprise. It consists of IT related
events that could potentially impact the business.

In order to analyse the IT Risks, prime requirement for an IS auditor is to understand the business

environment. IS auditor is required to gather information about industry and relevant regulatory

statutes. Knowledge of business will help an IS auditor to understand which IT assets contributes to

the business and extent of dependence on technology to process and deliver business information.

This in turn helps him to identify critical IT assets. Risk assessment is then carried out to ensure

confidentiality, integrity and availability (CIA triad) of identified mission critical IT assets.

Threat Analysis:

So now we have identified our TREASURE (ASSET). We must also be aware of who else is interested in our treasure. Our enemy could be earthquake, fire, hackers, malware, system failure, criminals and many other unknown forces. We need to list down each threat that can have impact on assets.

Now assign probability or frequency of occurrence. I know that is not an easy job, but that is what we
are paid for. Probability can also be expressed as a ranking i.e. High, Medium, Low or on a numeric scale i.e. 1 to 10.

Vulnerability Analysis:

Take a magnifying glass and examine our mission critical asset to identify presence of any black
spot. Black spot indicates weakness. Vulnerability can be in form of weak coding, missing anti-virus,
weak access control and other related factors. It is advisable to list down each vulnerability and
corresponding proposed control. Vulnerability to be ranked on the basis of criticality.

Impact Analysis:

Through earlier steps we have identified our Assets, our ENEMIES (Threat Analysis) and our own WEAKNESS (Vulnerability Analysis). Impact Analysis helps us to understand what will happen if all three of them shake hands.

Impact can be measured in terms of QUALITATIVE or QUANTITATIVE. For better risk treatment,  it is advisable to quantify the impact. But as discussed earlier, it is a tough job. Most common method to quantify risk is to calculate single loss expectancy (SLE) and annual loss expectancy (ALE).

SLE=Asset Value*Exposure Factor
Exposure factor can be defined as expected percentage of loss if a threat is realized.

ALE=SLE*Annualized Rate of Occurrence (ARO).
ARO can be defined as estimated frequency of specific threat within a year.

However in absence of precise measurement, impact can also be classified as high/medium/low or some other indicators can also be used. When we speak of Information System, impact can be loss of confidentiality, loss of integrity or loss of availability. Prime purpose of classifying the impact is to prioritize risk treatment for high impact risk.

Risk Treatmetn:

Time to build GREAT WALL OF CHINA. Once potential impact has been identified through
qualitative or quantitative analysis, next step is to decide how to eliminate or reduce the impact i.e.
how to treat the RISK. There are generally four approaches for risk treatment. They are

(i)Risk Mitigation
(ii)Risk Transfer
(iii)Risk Avoidance
(iv)Risk Acceptance

It must be noted that risk treatment  is purely based on perception. For same risk, different
treatment can be applied depending upon how one perceives the risk.
Let us take an example to understand above approaches.

Meteorological  department has indicated heavy rain and we need to attend ISA classes. Risk of  rain can be treated in any of the following way:

-Majority of the students will be well prepared and will arrange for Umbrella or Raincoat to protect
them from Rain. (risk mitigation)

-Some courageous students will not bother to carry Umbrella/Raincoat. (risk acceptance ).
'
-I am pretty much sure there will be some students like me who will avoid going to classes (risk avoidance).

In an organisation level, it is not always possible to mitigate all the RISK. RISK Free Business is an
illusion. Though objective of risk treatment is to bring greatest possible reduction in RISK. IS auditor
need to understand the IT RISK and corresponding controls.
There are different standardized methodology specifically designed for RISK Assessment of
Information Technology Systems like SP-800-30 document developed by NIST, FRAP (Facilitated RISK
Analysis Process) and OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation).
Though each methodology is developed for specific purpose they have same basic core components
that we already discussed above i.e. identify vulnerabilities and threats and calculate risk values.

Please do write in case of any concerns/query/suggestions.